A CRYPTOGRAPHIC SYSTEM COMPRISING AN ENCRYPTION AND 
DECRYPTION SYSTEM AND A KEY ESCROW SYSTEM, AND THE 
ASSOCIATED EQUIPMENT AND DEVICES 

5 

The present invention concerns a cryptographic 
system, comprising an encryption and decryption 
system and a key escrow system, and the 
10 associated equipment and devices. 

It is particularly intended to be used in 
electronic systems of the type comprising chip 
cards, PCMCIA cards,, badges, contactless cards 
15 or any other portable equipment, 

< 

The majority of public key cryptography systems 
(also referred to as asymmetric cryptography) 
existing today use the RSA encryption algorithm, 
20 published in 1978 by R. Rivest, A- Shamir and L. 
Adleman, and then patented under the title 
«Cryptographic Communications System and Method» 
and the reference US 4 405 829. 

25 The RSA system apart, there are very few. 
practical public key encryption methods and 
systems. There is> however, another system, 

less well-known and relatively little used: this 
is the El-Gamal system, known by the title «A 

30 puhlic-key cryptosystem and a signature scheme 
based on di screte loga rithms» and published in 
the journal IEEE Transactions on Information 
Theory, vol. IT-31, no. 4, 1985, pp. 469-472. 
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An RSA or El-Gamal cryptogram is" .in fact a large 
number represented in a computer- by strings of 
binary or hexadecimal digits. The cryptogram is 
calculated with the help of a software 
5 calculation resource (a program) and/or a 
hardware calculation resource (an electronic 
circuit) using a series of calculation rules 
(the encryption algorithm) having to be applied 
at the time of processing a set of parameters 

10 accessible' to all in order to hide the content 
of the processed data. In an an.alogous . manner , 
the cryptogram is decrypted with the help of a 
software or hardware calculation resource using 
a series of calculation rules (the decryption 

15 algorithm) applied (by the receiver of the 
cryptogram) to a set of secret and public 
parameters and the cryptogram. 

The encryption system' or method makes use of a 
20 public key in order to produce the cryptogram. 
The decryption method uses a private key which 
corresponds to the secret key without, however, 
being identical to it. A user of an item of 
portable electronic equipment, for example a 
25 chip card, possesses a pair of keys (referred to 
as a public key and a secret key) . It is 

assumed that the public keys are known to all 
users whereas the secret keys are never 
disclosed. Any person has the ability to 

30 encrypt a message for a user by using the public 
key of the latter, but cryptograms cannot be 
decrypted other than by using the secret key of 
the user . 
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By way of illustration, the operation of the 
well-known RSA algorithm will be described 
below . 



5 The parameters of the RSA algorithm are: 

1. Two secret prime numbers p and q equal in 
size to at least 256 bits. These prime numbers 

r 

are generated in a particular manner, the detail 
10 of which is not essential to the understanding 
of the present invention but can however be 
found in the work «Applied Cryptography ^ 
Algorithms ^ Protocols and Source Codes»r by 
Bruce Schneier (Translation by Marc Vauclair), 
15 Thomson Publishing. 



2 . A public modulus n = 

3- A pair of exponents 
20 a public exponent and d 
that: 

ed = 1 mod (p-1) (q-1) 



pq. 

denoted, {e, d}, e being 
a secret exponent such 



25 The exponent e, referred to as the «encryption 
exponent», is accessible to all whereas the 
«decryption exponent» d must remain secret. 

". In order to encrypt the message m, the sender 
30 calculates the cryptogram c = m^ mod n and the 
receiver or checking device decrypts c by 
calculating m = c^ mod n. 



A 

35 
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As regards the operation of the El-Gamal 
algorithm, this is a little more complex and is 
of no particular interest for understanding the 
present invention. 

5 ■ 

The present invention concerns a cryptographic 
system comprising an • alternative public key 
encrypt ion /deer ypt ion system which presents an 
alternative to the RSA method and to the El- 
10 Gamal method and a key escrow system. 

According to the invention, provision is made 
that the cryptographic system combining the so- 
called discrete logarithm and factorization 
15 principles, comprises, among other things, 
public keys and a secret key, and - is 
characterised in that the said public keys 
comprise, at" least: 

20. a. an RSA modulus n, greater in size than 640 
bits, having the following property: 

n = (A Pa + 1) X (B Pb + 1) 

25 in which: 

Pa and ps are prime numbers greater in size 
than 320 bits, 

30 (A^ Pa + 1) is an RSA prime denoted p, 

(B pB -+ 1 ) is an RSA prime denoted q. 
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A is the product of lc/2 (k being an even 
integer number between 10 and 120) prime numbers 
(denoted p[i], i = 1 to k:/2) of relatively small 
size (between 2 and 16 bits) and 

B is the product of k/2 prime numbers (also 
denoted p[i], i = k/2 + 1 to k) ; 

the p[i]s being of relatively small size 
(between 2 and 16 bits), and also able to be 
mutually prime; 

b. an exponentiation base g, of order ^{n)/4 
(wliere (t)(n) denotes the Euler indicator 
function), g therefore having not to be a p[i]- 
th power modulo n of any number . 

More precisely, the invention relates to a 
cryptographic system comprising at least an 
encryption/decryption system, characterised in 
that the encryption of a message- m, m < AB, 
consists of the operation: 

c = g"* mod n 

where • c denotes the cryptogram (encrypted 
message ) . • . < 

Preferentially, ■ the cryptographic system 
according to the invention is characterised in 
that the . integrity .of m can be provided by the 
encryption of m|h(m) (h denoting a hashing 
function and I denoting concatenation) , or by 
the encryption of DES(key, m) , «key» being a key 
accessible to all. 



■ 
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An object of the present invention is also the 
description of an escrow system- According to 
the invention, the said secret key of the 
5 decrypter or of the escrow centre is the number 
(|){n) and the operation of decryption or of 
recovering the identity of a user consists of 
the following steps: 

-10 a. calculating, for i from 1 to k: y[i] = 

b. for i from 1 to k 

- for j from 1 to p[i] 
15 comparing .y[i] with the values g3*(n)/p{ii j^q^ 

n independent of m; if g:3*<n>/pt^3 mod n = yCi] 
then assign |x [ i ] = j 

c. reconstructing the message m from the 
20 Chinese remainder theorem (CRT) and the values 

According to a variant embodiment, the said 
decrypter speeds up the calculation of the 
25 quantities y[i] by calculating: 

a) z = c^ mod n where r = PaPb 

b) for i from 1 to k: y[i] = z^^''^^^^ mod n, 



30 



so as to take advantage of the difference in 
size between AB/p[i] and (|)(n)/p[i] for speeding 
up the calculations. 
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According to another variant embodiment of the 
invention, the decrypter pre-calculates and 
saves, once and for all, the table of values 
gj*(n)/pu] j^Q^ ^ 1 < i < k and 1 < j < p[i] 

5 

or, 

more specifically, a truncation or a hashing of 
these values (denoted h) having the following 
10 property : 

h (g3^(n)/p{il j^od n) It ^^gr^(n)/pU] if j ^ j'. 

In= this way, this avoids on the one hand the 
15 recalculation for each i of the' quantities 
gj4»(n)/p[i] other hand the 

•storage of values which are too large- 
According to another preferential embodiment of 
20 the invention, the decrypter speeds up its 
calculations • by separately decrypting the 
message modulo p and then modulo q, and 
constructing the modulo results with the help of 
the Chinese remainder theorem, in order to find m 
25 a g a i n , 

The escrow system is implemented by the 
following operational steps: 

30 a. the escrow authority codes the identity of 
the user ID =.Z 2^"^. ID[i] where ID[i] are the 
bits' of • the identity of the said user of the 
system . (the sum being taken for i from 1 to k) 
by calculating e(ID) = n p[i]^°^^^ (the product 

35 being taken for i from 1 to k) ; 
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b. it issues, - to the user, an El-Gamal 
(that is to say an exponentiation base) 
g"«">^ mod n, 

in which u is a large random prime or a number 
prime wi t h (() ( n ) ; 

c. it thus makes it possible for the 
10 derive, from c, his E-l-Gamal public 

choosing a " random number x and raising 
. power X modulo n. 

d. - with the aim of finding the trace of the 
15 user, the authority extracts, from the El-Gamal 

cryptogram of the encrypter, the said cryptogram 
always comprising two parts, the part: 

V = c^ mod n 

where r is the encryption random, number chosen 
by the encrypter. 

e- Knowing <|)(n), the said authority finds the 
25 bits ID[i] by means . of the following algorithm: 

1. calculate, for i from 1 to k: y[i] 
^^in)/pU]- niod n 

30 2 . if. y[i] = 1, then (i[i] = 1, otherwise 

|a[i] = 0 

3 . calculate : 
35 . ID' = Z 2^"^ ^[i] 



key 
c- = 



user to 
key by 
c to the 



4 . find : ID = CCE ( ID' ) 



in which- CCE denotes an (optional) error 
5 correction mechanism (of the type of those 
described in the work «Correction Codes ^ Theory 
and Practice» by A. Poli and L. Huguet;. 
published by Masson) intended to correct the 
perturbations introduced in the case of an 
10 illicit use .of a composite r. 

Ahother escrow system proposed is based on the 
so-called Di f f ie-Hellman key exchange mechanism 
wh^re a number c, obtained by raising- g to a 
15 random power a modulo n by one of the parties, 
is intercepted by the said escrow authority: 

c = g^ mod n 

20 the said escrow authority .finds, a again in the 
following manner: 

a. knowing the factorization of n, the said 
authority finds, with the help of the decryption 
25 algorithm, the value 

a = a mod AB 



30 



that is a = a + PAB; 

r 

b. the said authority calculates: X = c/g°^ mod 
n = g^^^ mod n 



. 10 

c. using a cryptanalysis algorithm '(a discrete 
logarithm calculation algorithm, possibly 
executed twice (modulo - p and modulo q) in order 
to speed up the performance thereof), the 

5 authority calculates the discrete logarithm (3 

X = (g^^)^ mod n 

d, the said authority finds 

10 

a = a + pAB 

and decrypts the communications based on the use 
o f - a . 

15 

According to another embodiment of the 
^ invention, the RSA modulus n is the product of 
three factors : 

20 n = (ApA + 1) X (BpB + 1) X (Cpc + 1) 

in which - Pa, Pb^ .Pc are prime numbers greater in 
size than 320 bits, 

25. (ApA + 1), .(BPb + 1), (Cpc +. 1) are ^RSA 

primes, denoted respectively p, q, r, 

A, B and d are each the product of k/3 prime 
numbers (denoted p[i], i = 1 to k), the p[i]s 
30 being of relatively small size (between 2 and 16 
bits) and able to be mutually prime numbers and 
k being an integer number between 10 and 120, so 
that the product ABC has at least 160 bits. 
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This embodiment is of interest for speeding up 
the performance of the decryption. The 
decrypter, in order to speed up its 
calculations, performs the operations mod p mod 
5 q mod r. If n has 640 bits, splitting it into 
three factors makes the size of the factors 
smaller. 

The present invention is intended to be disposed 
10 preferentially in items of encryption, 
decryption and key. escrow equipment which are 
for example computers, chip cards, PCMCIA cards, 
badges, contactless cards or any other portable 
equipment . 

15 

The present invention also relates to a device 
comprising a cryptographic system, characterised 
in that it comprises an encryption system and/or 
a decrypt ion ' s ystem and/or a key escrow system, 
20 the said systems communicating with one another 
by- an exchange of electronic signals or by means 
of an exchange of radio waves or infrared 
signals . ' " . 

25 So as to better understand the invention, it is 
necessary to make the following comments. 

The encryption method of the invention is broken 
down into three distinct phases: 

30 

generation of the keys 
generation of the cryptogram 
35 and decryption of the cryptogram. 
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Subsequently, the following (typographical) 
conventions will be used: 

(j)(n) will denote the Euler indicator 
5 function. 

(|)(n) is defined thus: 
if n = ni X na X n3 X ... x njc-i x nic 

10 

where ni, nzr rxsr ... / njc-i, n^ are prime numbers 
then: 

(|)(n) = (ni-1) X . {n2-l) x (na-l) x. . . . x (nk-i - 1) 
15 X (nic - 1) - 

First of all, and for a good understanding of 
the invention, it is necessary to describe the 
.generation of the keys. 

20 

In order to generate the keys, the receiver of 
the cryptograms chooses at random two groups Ga 
and Gb of around k/2 small distinct primes p[i] 
(k being a system parameter of the order of 10 
25 to 120) and forms the following two numbers (of 
approximately equal size) : 

A = the product of the p[i]-s belonging to 
the set Ga 

30 

B = the . product of the p[i]s belonging to 
the set Gb 

For security reasons it seems appropriate to fix 
35 Ga 



. V • 13 v- j 

and Gb such that: 

1. Ga n Gb is the null set 

5 2. Certain p[i]s do not appear in Ga Gb • 

The inventive method proves to be reliable 
(although with a ■ somewhat more complex 
description) even if condition 2 is not 

10 satisfied. The method also remains reliable if 
condition 1 is not satisfied, but the key 
generation and decryption algorithms must be 
modified in consequence, and become notably more 
complex. Also, the p[i]s can be non-prime while 

15 being mutually prime (for example, integer 
powers of prime numbers of two or three bytes). 

For the simplicity of the description, the i-th 
odd prime number will be denoted p[i], for 
20 example: p[l] = 3, p[2] = 5, p[3] = 7, ... 

It will be assumed subsequently that A is simply 
formed from the product of the p[i]s for i from 
1 to k/2, and B from the product of the p[i]s 
25 for i from k/2 + 1 to k. However, this choice 
is not the best possible, and it must be 
interpreted only as a notational convention. 

Next, the receiver of the cryptograms generates 
30 two large primes ( typically . of the order of 200 
to 512 bits) denoted Pa and ps such that p = ApA 
+. 1 and q =f Bps + 1 are RSA primes (RSA primes 
are such that, once multiplied, the product n = 
pq must be difficult -to factorize) . 



35 
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In order to provide security, it appears 
preferable to impose minimum sizes on the 
different parameters : 

5 1 - the product AB must at minimum be a 

number of the order of 160 bits; 

.2 - the size of each of the numbers p^, Pb 
must exceed that of the product AB- by at least 
10 160 bits; 

3 - the size of the number n = p x q must be 
at least 640 bits. 

15 The procedure for generating such primes does 

not fall within the scope of the present 

invention and proves to be self-evident for 
persons skilled in the art. 

20 Finally, the receiver of the message generates 
and publishes an element g of order (t)(n)/4. 

It is imperative that such a g verifies the 
following condition: 

25 

For all i, there exists no x such that g = 
xP^^^ mod n, . . 

g can be calculated with the help of one of the 
30 following methods: 

* first method of calculating g (fast): 



The receiver of the message generates two 
35 integers : 



. is ':: ^• 

gp, of order (p-l)/2 modulo p 

gq, of order (q-l)y2 modulo q 

5 As above, the generation of gp is in practice 
equivalent to the creation of -a number which is 
not a 'p[i]-th power for all i less than k/2; 
similarly for' gq with the obvious modifications: 

10 . 1 . set 

Xo = 1 



15 



20 



30 



ti = 1 



ti = product of the p[j]s for j from 1 



to i-1 



2. for all i from 1 to k/2 
take a random x 
raise x to the power ti 
25 if x<P-^J/Pf^' = 1 

try another x 



otherwise 

calculate xi = x(Xi-i)P^^^ 
3- set gp = X]c/2 



35 



16 



4 . set 



to i-1 



15 



25 



Xo = 1 



tl = 1 



ti = product of the pCj]s for j from 1 



10 - 5. for al'l i from 1 to k/2 



take a random x 



raise x to the power ti 
if x^^-^>/P^^^ = 1 

try another x 



20 otherwise 



calculate Xi ==^ x(Xi-i)^^^' 
set gq = Xk 



7 . construct g f rom gp and gq by applying 
the Chinese remainder method (denoted CRT in the 
rest of the description)^ a method described in 
the * work «A course in number theory and 
30 crypt ography» , by Neal Koblitz, second edition, 
published by Spr inger-Ver lag . It may be 

necessary to square the number produced in order 
to finally obtain. g. 



35 
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It is shown (the detail of such a proof is not 
necessary for understanding the present 
invention) that each step of the algorithm 
determines an element which is not a p[j]-th 
5 power for j less than or equal to i. 

* second method of calculating g (simple) 

An alternative approach consists of choosing g 
10 randomly and testing that such a g is not a 
p[j]-th power modulo n. A precise calculation 
shows that (on average) such a g will be found 
at the end. of ln(k) random draws (that is^ for k 
= 120, around one chance in five) , 

15 

So as . to understand the invention well, it is 
now necessary to describe the generation of the 
cryptogram. 



20 The cryptogram c of a message less than the 
product AB is calculated by the formula: 

c == g"^ mod n. 

25 The description of the 
towards a description of 
cryptogram , 

In order to find m again, the decrypter performs 
30 the following operations: 

1. calculate, for i from 
mod n 



invention now turns 
the decryption o.f the 



1 to k: y[i] = c^in)/p[u 



35 Let m[i] = m mod p[i] and m' = (m - m[i])/p[i] 
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By substitution, it is easy to see that: 
y[i] = c^(^)/pin niod n 

5 ^ g(m[i]+m'pCil )(l»(a)/p[il ^ 

= gmtiH(n)/p[i] gm'*(n) ^^^^ ^ 
= g™[il*(n)/p(i] j^Q^ ^ 

2. for i from 1 to k do: 

10 for j from 1 to p[i] do: 

if g3*(^)/pCii mod n = y[i] assign mi = j 

3. ^ find 

m = CRT (mi, m2 . ... mjc) 

15 

The decryption algorithm can be improved in 
various ways: . ^. 

Typically, it is possible to pre-calculat e and 
20 table the values g^*('^)/pti] ^ ^;l1 values 

of the variables i and j necessary ' for the 
decryption to take place. In addition, such a 
table can be truncated or hashed provided that 
the method of truncation or hashing (denoted h) 
25 ensures that: 

h[gj*(n)/pCi3 n] ^ ^[gyUn)'/p[L] ^Lf j ;t j' . 

With such an embodiment, it proves possible to 
30 decrypt messages of 20 bytes with k = 30 (the 
product AB then gives 160 bits, a modulus n of 
80 bytes and a table of' 4 kilobytes) . 



As mentioned in the «key generation» part, it 
may be more advantageous to choose 16 primes .of 
10 bits, instead of the 30 primes p[i] ( k is 
then equal to 16), As there are 75 such primes, 
there are around 2^^'^ possible choices. It is 
not necessary to publish the primes chosen, 
although this does not add any • additional 
security . 

It is even possible to choose mutually prime 
numbers; for example, powers of prime numbers, 
which further increases the range of choice of 
these parameters. 

A second embodiment makes it- possible to speed 
up the decryption by calculating, as soon as the 
cryptogram is received, the iquantity: 

2 = c^ mod n, where r = PaPb 

The quantities y[i] can then be calculated more 
easily. by talking the following calculation short 
cut : 

y[i] = z^^/P^^' mod n 

thus taking advantage of the difference in size 
between AB/p[i] and (t)(n)/p[i] which speeds up 
the exponentiation. 

A third embodiment makes it possible to speed up. 
the decryption by separately decrypting the 
message modulo p and then modulo q (p and q 
"being half the size of n, the decryption will be 
twice as fast) and composing the re^s.ults modulo 
(f) (n) . 



This alternative decryption method is described 
thus : 



1. calculate, for i from 1 to k/2: y[i] 

Let m[i] = m mod p(i] and m' = (m - m[i])/p[i] 

By substitution, it is easy to see that: 

y[i] = c*'P'>P£i' mod p 
= g™ f(P)/Plil mod p 
= = g(m[il + m'p(i]) *(p)/p[il jnQ^ p 
= g-'til ♦(P)/Ptij gm' f(p, p 

= g""^^' ♦(p>/ptii niod p 

2. for i from 1 to k/2 do: 
for j from 1 to p[i] do: 

if g3 ♦(P)/p[ij- p ^ y^.j assign ^^ij . 

3 . find : 

m mod ^(p) = CRT(jj.[l] mod p[l], ... (a[k/2] 

mod p [ k/2 ] ) 

4. perform steps {1, 2, 3} again with q in 
place of p. 

5. calculate m = CRT (m mod <t>(p), m mod <|>(q)) 

It may prove necessary to protect the message m 
against manipulation by encrypting, ■ by means of 
the method proposed in the present invention. 



f(key, m) in which f is a symmetric encryption 
function (for example the DES algorithm) of 
which the parameter «key» is accessible to ail- 
Alternatively, the encryption method may verify 
that the message m obtained is correct such that 
its cipher is c. Another way of protecting m 
may be the encryption, by the method proposed, 
of ml hash (m), (that is to say. c = g^^i^ashdn) 
where hash (m) is a hashing of the message m, and 
I represents concatenation (in this case, the 
decryption verifies the ' integrity of the message 
obtained by calculating its hash) . 

It^ is possible to extend the encryption system' 
described above to the case where the modulus n 
is no longer composed of two, but of three, 
factors. This will then give: 

n = pgr - 

with p = ApA- +1, q = BpB + 1, r = Cpp + 1, p^, 
PBf Pc are three large primes (of 200 to 512 
bits), and A, B, G are each the product of small 
distinct odd primes, coming from sets Ga, Gb, Gc • 

The modifications to be made are self-evident to 
persons skilled in the art. 

Furthermore, it - appears possible to slightly 
relax condition 2 of the preceding descriptive 
part on the generation of keys (which is set out 
here:' «certain p(i)s do not appear in Ga u Gb vj 
Gc») - In this way, a .set of parameters where n 
has 640 bits, the product ABC has 160 bits, and 
each of the p[i]s cor relatively has 160 bits, 
provides appropriate security. 
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The second object of the present invention is to 
describe a key escrow system improving the 
method described by Y. Desmedt in «Securing the 
traceability of ciphertexts - Towards a secure 
5 software key escrow system» (Proceedings of 
Eurocrypt '95, Lecture Notes in Computer Science 
921) and supplemented by the ■ observations 
expressed by L. Knudsen and T. Pedersen in the 
article- «0n the difficulty of software key 
10 escrow» (Proceedings of Eurocrypt " "96, Lecture 
Notes in Computer Science 1 0 7 0 ) - 

In order to improve notably the key escrow 
furiction proposed by Y. Desmedt, a variant of 
15 the encryption method will be- considered: 

Let ID, the identity of each user, be coded in 
binary: 

20 ID .= Z 2^"' ID[i] 

■where ID[i] are the bits of the identity of a 
user of the key escrow system (the sum being 
taken for i from 1 to k) and let e(ID) = U 
25 p[i]^°^^^ (the product being taken for i from 1 to 
k) . 

Finally let c = ge(iD)u ^ where u .is a large 

random prime. 

30 

c is given to the user as 'the exponentiation 
base for El-Gamal encryption. The user derives, 
^from c, his El-Gamal' public key by choosing a 
random number x and raising c to the power x 
35 modulo n. 



In order to trace the user, the said key escrow 
centre extracts, from the - El-Gamal cryptogram of 
the user, the part: 



— — r 



c mod n 

where r is the encryption random number chosen 
by the user. 

Knowing (|) ( n ) , the said centre finds the bits 
ID[i] by means of the following algorithm: 

1.. calculate, for B + ur i from 1, to k : y[i] = 

2. for' i from 1 to k do: 
for j from 1 to p[i] do: 

if y[i] = 1 assign |Li[i] at 1, otherwise 
assign ^ [ i ] at 0 . 

3. calculate: 

ID' = S 2^-^ |a[i] 

4. find:'ID = CCE(ID') 

where CCE denotes an error correction mechanism 
(of the type of those described in the work 
{Correction Codes ^ .Theory and Practlce» by A. 
Poll and L. Huguet, published by Masson) 
intended to correct the perturbations introduced 
in the case of an illicit use of a composite r. 



The correction mechanism can be omitted; the 
algorithm making it possible to trace the user 
must then undergo modifications self-evident to 
persons skilled in the art, and use a ^number of 
quantities .analogous to c* mod n, corresponding 
to a number of executions of the El-Gamal 
encryption algorithm. 

The third object of the present invention is to 
present a second key escrow, system based on the 
so-called Dif f ie-Hellman key exchange mechanism, 
•a mechanism patented under the reference US 4 
200 770 . 

In such a system, a number c, obtained by 
raising g to a random power a modulo n by one of 
the parties, is .intercepted by the escrow 
authority. 

c = g^ mod n 

I 

The. said escrow authority finds a again in the 
following mariner: 

1- Knowing the factorization of n, the 

authority finds, with the help of the decryption 
algorithm, the value 

a a mod AB 

that is a = a + |3AB 

2. The authority calculates: 



^ = c/g"^ mod n = g mod n 



25 



(since c = mod n = g**+PAB ^ ^ g'^g^''^ mod n) 

3. Using a cryptanalysis algorithm (a discrete 
5 logarithm calculation algorithm, possibly 
executed twice (modulo p and modulo q) in order 
to speed up the performance thereof) , the 
authority calculates the discrete logarithm p. 

10 A. = (g""^)^ mod n 

■ 4. The authority finds 

-a = a + PAB 

and decrypts the communications based on the use 
of a . 

The embodiment of the invention will be better 
20 understood from a reading of the description and 
the. drawings which follow; in the accompanying 
drawings : ' 

Figure 1 "depicts the flow diagram of an 
25 encryption system using the system proposed by 
the present invention, 

Fi-gure 2 depicts the flow diagram of a 
decryption system using the system proposed by 
30. the present invention, 

- Figure 3 depicts the data transmitted between 
• the encryption system and the decryption system 
during the secure transmission of a message m. 



According to the proposed invention, each item 
of encryption equipment (typically a computer or 
a chip card) , is composed of a processing unit 
(CPU) , a communication interface, a random 
access memory (RAM) and/or a non-writable memory 
(ROM) and/or a writable memory (generally re- 
writable) (a hard disk, diskette, EPROM or 
EEPROM) . 

The CPU and/or the ROM of the encryption 
equipment contain calculation resources or 
programs corresponding to the cryptogram 
generation rules (multiplication, squaring and 
.modular reduction) . Certain of these operations 
may be grouped together (for example, the 
modular reduction may be directly integrated 
into the multiplication). 

Just as for the implementation of the RSA, the 
RAM typically contains the message m to which is 
applied the encryption and the calculation rules 
for generating the cryptogram. The disks and 
the E(E)PROM contain at least the parameters n 
and g generated and used as specified in the 
description which follows. 

The CPU controls, via the address and data 
buses, the " communication interface and the 
memory read and write operations. 

Each item of decryption equipment (identical to 
the key escrow equipment) is. necessarily 
protected from the outside world by physical or 
software protection. This protection should be 
sufficient to prevent any unauthorized entity 
from obtaining the secret key composed of secret 
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factors of n. The techniques most used nowadays 
in this regard are integration of the chip in a 
security module and equipping of the chips with 
devices . capable of detecting variations in 
5 temperature or light, as well as abnormal 
voltages and clock, frequencies. Particular 
design techniques such as mixing up of the 
- memory access are also used. 

10 According to. the proposed invention, the 
decryption equipment is composed at minimum of a 
processing unit (CPU) and memory' resources (RAM, 
ROM, EEPROM or disks) . 

15 The CPU controls,, via the address and data 
buses, the communication interface and the 
memory read and write operations. . The RAM, 
EEPROM or disks contain the parameter (|)(n) or, 
at least, the factors of (|)(n) . ' 

20 

The CPU and/or the ROM of the decryption 
equipment contain calculation resources or- 
programs making it possible to implement the 
various steps of the decryption process 
25 described previously (multiplication, 

exponentiation and modular reduction). Certain 
of these operations may be grouped together (for 
example, the modular reduction may.be directly 
integrated into the multiplication) . 
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Within the general scope of the proposed 
invention, an encryption of the message m is 
implemented by exchanging, between the card, the 
signature equipment and the verification 
equipment, at least the data c. 



